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1 Introduction 

The Dual Elliptic Curve Pseudorandom Generator (DEC PRG) is proposed by Barker and Kelsey [2]. 
It is claimed (see Section 10.3.1 of [2]) that the pseudorandom generator is secure unless the adversary 
can solve the elliptic curve discrete logarithm problem (ECDLP) for the corresponding elliptic curve. 
The claim is supported only by an informal discussion. No security reduction is given, that is, it is not 
shown that an adversary that breaks the pseudorandom generator implies a solver for the ECDLP. 

Our experimental results and also empirical argument show that the DEC PRG is insecure. The 
attack does not imply solving the ECDLP for the corresponding elliptic curve. The attack is very 
efficient. It can be run on an ordinary PC. 

Actually, the generator is insecure because pseudorandom bits are extracted from points of the 
elliptic curve improperly. The authors of [2] assume that 240 least significant bits of x-coordinate of a 
random point of the elliptic curve over the prime field F p , where [~log 2 p] = 256, are indistinguishable 
from 240 uniformly distributed random bits. We show that this is not the case. Based on this 
observation, we construct an algorithm (an adversary) that efficiently distinguishes the pseudorandom 
sequences produced by the DEC PRG from the sequences of uniformly distributed random bits. 

We note that the complexity of our attack is proportional to 2 256-240 = 2 16 , so extracting less 
than 240 bits (say, 2 176 bits) makes the attack impractical. However, extracting less random bits does 
not guarantee that there exists no other attack that successfully breaks the pseudorandom generator. 
The reason is that the DEC PRG is not provably secure, its security does not provably rely on the 
intractability of the ECDLP. To make a real provably secure pseudorandom generator one has to 
construct a security reduction, that is, to show that breaking the generator does imply solving a 
well-known and supposedly difficult problem (e.g., ECDLP, factoring, etc.) 

In fact, provable security might be the only argument in favor of the relatively slow DEC PRG 
versus more efficient generators based on hash functions and block ciphers (e.g., the generators de- 
scribed in Sections 10.1 and 10.2 of [2]). Unfortunately, the DEC PRG is not secure so there are no 
reasons to use this generator rather than the others. 

2 The Dual Elliptic Curve Pseudorandom Generator 

Let p = 2 256 - 2 224 + 2 192 + 2 96 - 1. Let E(F p ) denote the elliptic curve over F p consisting of all pairs 
(x, y) G F p x F p such that 

y 2 = x 3 + ax + b, 
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where 

a = 115792089210356248762697446949407573530086143415290314195533631308867097853948, 
6 =41058363725152142129326129780047268409114441015993725554835256314039467401291 

and a point at infinity O. Let P = (xp,yp) and Q = (xq,uq) be two points of the elliptic curve E(F p ) 
such that 

x P =48439561293906451759052585252797914202762949526041747995844080717082404635286, 
y P = 36134250956749795798585127919587881956611106672985015071877198253568414405109, 
x Q = 91120319633256209954638481795610364441930342474826146651283703640232629993874, 
yQ = 80764272623998874743522585409326200078679332703816718187804498579075161456710. 

The constants are taken from Appendix A.l of [2]. Note that the constant a such that P = aQ 
is difficult to determine due to the intractability of the elliptic curve discrete logarithm problem 
(ECDLP). 

The seed of the Dual Elliptic Curve pseudorandom generator (DEC PRG) is a random integer 
so G_r {0, 1, . . . , #E(F P ) — 1}, where #E(F P ) denotes the number of points on the curve. Let x : 
E(F P ) i — ^ ¥ p denote a function that gives the x-coordinate of a point of the curve. Let lsbj(s) denote 
i least significant bits of an integer s. For example lsb3(23) = 7, since 23 = (10111)2- The DEC PRG 
transforms the seed into the pseudorandom sequence of length 240/c, k > 0, as follows. 

Algorithm 1 Dual Elliptic Curve pseudorandom generator 
Input: s G {0, 1, ... , #E(F p ) - 1}, k > 
Output: 240/c bits 
for i = 1 to k do 

Set Si <— x(sj_iP) 

Set n <- lsb 2 4o(x(siQ)) 
end for 
Return r± , . . . , 



The authors of [2] claim that 

Backtracking resistance is built into the design, as knowledge of s\ does not allow an 
adversary to determine so (and so forth) unless the adversary is able to solve the ECDLP for 
that specific curve. In addition, knowledge of T\ does not allow an adversary to determine 
si (and so forth) unless the adversary is able to solve the ECDLP for that specific curve. 

Note that backtracking (in other words, predicting) is equivalent to distinguishing the output of 
the pseudorandom generator from the sequence of uniformly distributed random bits [6] . In the next 
section we show that the output of the DEC PRG can be efficiently distinguished from the sequence 
of uniformly distributed random bits. The distinguishing attack does not imply solving the ECDLP 
for the given curve. It means that the pseudorandom generator is insecure and cannot be used for 
cryptographic purposes. 

3 The Distinguishing Attack on the DEC PRG 

The output of the pseudorandom generator consists of k 240-bit blocks. For a block r G {0, l} 240 let 
4>(r) denote the number of points T on the elliptic curve E(F P ) such that lsb24o(x(T)) = r. 
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At each step i, the DEC PRG outputs rj = lsb24o(x(sj(3)). The generator is secure if and only if 
rj is indistinguishable from 240 uniformly distributed random bits for all i = 1, . . . , k. We will see, 
however, that T{ can be distinguished from 240 uniformly distributed random bits. 

The argument of this section does not pretend to be a strict justification of the attack. On the 
contrary, it just gives the reader an intuition of how the attack works. 

It is shown by Brown [3] that the sequence of points SiQ is indistinguishable from the sequence 
of points chosen uniformly at random under the assumption that the DDH problem and the non- 
standard x-logarithm problem are intractable in in E(F P ). Therefore, it is reasonable to assume that 
SiQ behaves like a random point on the curve, i = 1, . . . , k. Then, for r G {0, l} 240 the probability that 
a certain output block is equal to r is 4>(r)/#E(¥ p ). Thus, if 4>(ri) > 4>(r2) for r k G {0, l} 240 , k = 1,2, 
the probability that a certain output block is equal to r\ is higher than the probability that this block 
is equal to r^- Moreover, we will see that the difference between the probabilities is observable. 

The number of points on the elliptic curve is close to 2 256 (the difference is of order 2 224 ). Therefore, 
for r Gr {0, l} 240 , where the notation "G_r" means that the element is chosen uniformly at random 
from the corresponding set, the average expected value of </>(r) approximately equals 2 256-240 = 2 16 . 
On the contrary, for a block r generated by the DEC PRG the expected value of (p(r) is higher than 2 16 . 
Figures 1 and 2 provide an experimental evidence for this fact. Figure 1 gives the number of output 
blocks r with a certain value of (f)(r) (the total number of generated blocks is 1320000). Intuitively, 
the outcome distribution should fit the normal distribution. The least-squares method shows that the 
closest normal distribution has parameters /j, = 65537.0 (rather than 65536) and a = 255.6. Figure 2 
shows that the two distributions are very close indeed. 

The latter observation suggests a simple attack on the pseudorandom generator. Take an output 
block r and calculate 4>{r). The calculation takes time proportional to 2 16 . If tfi(r) > 2 16 conclude 
that the sequence is produced by the DEC PRG. Otherwise, conclude that the sequence is random 
with uniform distribution. Due to the above argument, for a block r output by the DEC PRG 

i r 216 

Pr[#(r) > 2 16 ] = 1 = / exp[(z - fi) 2 /(2a 2 )]dz « 0.50156. 



Therefore, our attack guesses correctly with probability about 0.50078. 

The success probability of the attack can be improved if one takes into account more than one 
output block, say k blocks, k > 1, and calculates the average value of <f>(r). In our experiments, we 
used k = 4000. Note that the sum of k random variables that have normal distribution with mean \i 
and variance a has normal distribution with mean k\i and variance ka 2 . Then, 

1 f 2l6h 

Pr[^(n) + • • • + 4>{r k ) > 2 16 k] = 1 -== / exp[(z - kfi) 2 /(2ka 2 )]dz « 0.59757, 

so the success probability of the improved attack is 0.548785. The running time is proportional to 
4000 • 2 16 « 2 28 . 

The simulation was implemented in C++ programming language using the NTL library [5] both 
for Windows and Linux platforms. In total 330 files of pseudorandom data were generated by the DEC 
PRG. Each file contained 4000 240-bit blocks. The seed for the DEC PRG was obtained using the 
RtlGenRandomO generator of the Platform SDK that is claimed to be cryptographically secure 1 . The 
analysis of 1 file took about 2 hours and 30 minutes on a 3GHz Linux machine with 1Gb of memory. 

lr This pseudorandom generator is built according to FIPS 186-2 Appendix 3.1 with SHA-1 as the iterated function 
[1]. It gets the seed from the current system information (current process ID, current thread, current time, etc.) 
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An independent work is done by Gj0steen [4] who shows that there exists an algorithm that predicts 
the next bit of the DEC PRG with advantage 0.0011. The work by Gj0steen is based on similar ideas 
to those proposed in this paper. 

4 Conclusion 

The following lines open Section 10.3 of [2]. 

A DRBG 2 can be designed to take advantage of number theoretic problems (e.g., the 
discrete logarithm problem). If done correctly, such a generators properties of random- 
ness and/or unpredictability will be assured by the difficulty of finding a solution to that 
problem. This section specifies a DRBG based on the elliptic curve discrete logarithm 
problem. 

Our result shows that the Dual Elliptic Curve pseudorandom generator is not done correctly. The 
authors of [2] only claim the generator to be secure, no security proof is given. We present an efficient 
algorithm that distinguishes the output of the generator from the sequence of uniformly distributed 
random bits, which demonstrates that the generator is in fact insecure. 

The main conclusion of this paper is that when designing a provably secure cryptographic scheme 
(e.g, a pseudorandom generator) one has to pay attention to the security proof (the reduction). An 
informal argument like the one in Section 10.3.1 of [2] is certainly not good enough. The scheme 
with a certain choice of parameters can be claimed to be provably secure only if it is shown that for 
these parameters breaking the scheme is as hard as solving a difficult problem faster than the fastest 
algorithm known so far. 
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2 DRBG stands for "deterministic random bit generator". 
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Figure 1: Number of blocks that correspond to a certain number of points on the elliptic curve (in 
total 1320000 blocks were generated) 
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Figure 2: The outcome distribution fits the normal distribution with parameters fi = 65537.0 and 
a = 255.6 
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